Pete's Log: HackerBox 0070

Entry #1995, (Coding, Hacking, & CS stuff, Smokepacking)
(posted when I was 43 years old.)

Hackerbox 0070 arrived yesterday. Here's a first look.

No alt text found for this picture. Please email to complain.

Is that a Spork? It is! A tactical hacking spork!

No alt text found for this picture. Please email to complain.

Digging the NPN BJT patch and the cassette tape sticker. Haven't ever used Tor so that sticker will have to go in the unused sticker pile for now.

No alt text found for this picture. Please email to complain.

The back side of the PCB has a Caesar cipher. There were a couple hints in the instructions that there would be something like this in the box. Here's the text if you're curious. Dwyg Pda Lhwjap!

So the main theme of this box is to build an internet radio based on ESP32 Radio. The radio is based on an ESP32 with a VS1053 MP3 audio decoder module, a TFT LCD display, a infrared remote and receiver, a rotary encoder/push button switch, and an SD card reader to hold mp3s if you want local music instead of internet music.

It's a pretty cool concept, but this is the first box in a while that I don't want to put together right away. I want to figure out where/how/when I want to use this before I commit to soldering the components to the PCB.

  • Where would I use this?
  • How will I use it?
    • Mounting all the components on the PCB that came with the box would probably look cool as a minimalist raw device
    • But the ESP32 Radio project page also has a picture of a cool 3D-printed-looking case
    • ESP32 Radio also claims to support MQTT so HA integration is an option
    • Any time I see an old radio at an antique store I feel inclined to want to gut it and put in some modern electronics, and this would be a good foundation for such a project, but if everything's soldered in close proximity on one board, it's not going to be terribly well suited for that purpose
    • Maybe this is the dev/qa/prototype platform and I can buy additional components for use in a proper case if I ever find one?

I don't know. It's cool. I don't immediately need it. I have lots of ideas. I think it's going to go in the pile of uncompleted Hackerboxes (which is much smaller than it used to be) for now until I decide how to use it.

Before getting to the assembly of the radio, the instructions include an unrelated suggestion to try Bluetooth Low Energy Capture The Flag (BLECTF) on the ESP32. So I did that. It's basically a firmware you flash onto the ESP32 that guides you through 20 challenges designed to teach you a little about BLE and Linux tools for BLE.

Esgerbeastie's motherboard has bluetooth, so that's what I started with. Before capturing any flags, you need to find the MAC address of your ESP32, and that's where I first got stuck. The BLECTF instructions suggest using either Bluez or Bleah for talking BLE. The Bleah github repo has been wiped and replaced with a deprecation message linking to a different project. Bluez was already installed on Esgerbeastie. So I went with Bluez.

The BLECTF instructions for Bluez say to run

sudo hcitool blescan

I think that's a typo and it's supposed to be lescan and not blescan. Here's what that got me:

$ sudo hcitool lescan Set scan parameters failed: Input/output error

Sigh. Searched and tried various things and finally came across a suggestion to use bluetoothctl instead of hcitool, and I found the MAC address.

The first few challenges were easy enough (once I read the instructions correctly), but then I got stuck on a challenge where I needed to send a write request with a spoofed MAC address. Bluez is supposed to include a utility called bdaddr for modifying your Bluetooth MAC address, but Debian doesn't include it in the Bluez package, so I decided to compile it from source. That was easy enough, but didn't get me much further.

$ sudo ./bdaddr -i hci0 11:22:33:44:55:66 Manufacturer: Intel Corp. (2) Device address: 08:XY:XY:XY:XY:F1 (Intel Corporate) Unsupported manufacturer

Sigh again. But then I remembered my armada of pis and remoted into one of them, and sure enough it had bdaddr and it worked on the first try. So I got that flag. Out of curiosity I also tried hcitool lescan on the pi and it worked just fine. So it looks like Esgerbeastie's Bluetooth hardware just isn't terribly well supported.

The last challenge was to find the Twitter handle of the BLECTF author, take the md5 hash of it, and then write the first 20 characters of that via BLE to a handle on the ESP32. Should be easy enough.

$ echo @hackgnar|md5sum|head -c 20;printf '\n' 7b6b57120625e6fcb84a $ gatttool -b 94:B9:7E:D8:EF:FE --char-write-req -a 0x002c -n $(echo -n "7b6b57120625e6fcb84a"|xxd -ps) Characteristic value was written successfully $ gatttool -b 94:B9:7E:D8:EF:FE --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n' Score:19/20

It took me way longer than I care to admit to realize I was md5 hashing a newline at the end of the Twitter handle. 🤦‍♂️

$ echo -n @hackgnar|md5sum|head -c 20;printf '\n' d953bfb9846acc2e15ee $ gatttool -b 94:B9:7E:D8:EF:FE --char-write-req -a 0x002c -n $(echo -n "d953bfb9846acc2e15ee"|xxd -ps) Characteristic value was written successfully $ gatttool -b 94:B9:7E:D8:EF:FE --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n' Score:20/20